Did expediting the 2024-08 Quality Updates fail for anyone else?
I posted this question yesterday on the Windows Servicing board, but there isn't much activity there. I hope it's okay to re-post it here. Due to the CVE-2024-38063 vulnerability, we attempted to use the Expedited Quality Updates feature to enforce the immediate installation of the 2024-08 security updates. Unfortunately, the feature simply did not work. Even a couple weeks after deploying the expedited update profile, we had about 25% of our Windows endpoints still in "Pending" status, most of which were powered on 24/7. We still have ConfigMgr in our environment, so I used CMPivot to run a query for events in the System log with "2024-08" in the message. This showed me that rather than installing the update and forcing a restart one day later as configured, the update was being installed, then reverted about ten hours later, then immediately re-installed again, over and over: If I manually initiated a restart on any of the affected machines, the update was successfully finalized, so the issue wasn't a failure to install the update. I've opened a case with Microsoft Support, but it is progressing slowly. If nobody else is seeing the issue, I will throw in the towel, but if it's more widespread, I think it is worth fighting to get this fixed (assuming that Microsoft isn't already aware and has simply chosen not to publicize it — for example, in the Windows release health blade in the Microsoft 365 Admin Center).
Blue screen crashes caused by April updates KB5055523
Hy, I have some test devices afected from installing KB5055523, the update will not install with an error code 0x800f081f. I have just stopped/uninstall this deployment under updates ring for QU and am wondering if I resume it will probably go to the latest quality update with this issue 2025.04 B one or will just go to the 2025.4 OOB... W11 release and KB issue: https://learn.microsoft.com/en-us/windows/release-health/windows11-release-information https://www.windowslatest.com/2025/04/11/windows-11-microsoft-warns-do-not-delete-inetpub-folder-after-causing-confusion/ Regards, BogdanProblems with proxy intune
hello everybody I am having trouble understanding the releases that should be made on my firewall. I'm using https://docs.microsoft.com/en-us/intune/fundamentals/intune-endpoints what I don't understand is if I have to configure imbound and outbound ... because the firewall team is giving me questioning the inbound rules. for example from to door Wifi Network portal.manage.microsoft.com 443 But when it's came back I can't just leave my wifi network i need specify one hostname. I don´t know if i need configure the inbound? if it´s need how i configure? Thanks so much
Intune Android Fully Managed - Play Store Error
Hi all, I've just noticed that our Android Fully Managed handsets are getting an error when opening the Play Store, which says Update Google Play Store - Google Play Store won't run unless you update. We have never seen this before and have been running this profile for 18 months now. I've tried clearing the Store cache, uninstalling Play Store updates, no avail. I even wiped my device, but it's still the same. Any help would be much appreciated. Thanks.
Moving from MDT/WDS to Autopilot part 2
Hi everyone Following up on my previous post about moving from MDT/WDS to Windows Autopilot, I wanted to share some of the more detailed parts of the deployment and config that might help others working through similar issues. Wi-Fi (RADIUS + NPS + Azure AD Join): This was hands-down one of the trickiest bits. We use a local RADIUS server (Windows NPS) with certificates for EAP authentication, and users authenticate using local AD credentials, despite Autopilot devices being Azure AD joined. I had to build a custom Wi-Fi configuration profile in Intune that handled certificate trust, proper targeting, and worked with our existing NPS policies. If anyone needs help with this scenario, I’m happy to share more details. I’ll be posting the full configuration soon. BitLocker Conflicts: BitLocker generally worked but only after cleaning up overlapping configurations. Intune allows BitLocker settings to be applied via multiple paths (Device Configuration, Endpoint Security, Encryption, even legacy GPOs via ADMX). I found they MUST be aligned across all sources — otherwise, ESP fails or encryption doesn’t trigger. My fix: consolidate BitLocker settings under Endpoint Security and Windows Configurations and ensure nothing else contradicts them, they give different options hence the need for the two. App Deployment + Detection Scripts: Some software just doesn’t play nice with Intune alone. We had issues with SolidWorks and other legacy tools. For these, I used NinjaOne to run custom silent installers and Intune detection scripts to track success and reapply if needed. For complex installs, I had to fall back on Proactive Remediation scripts to detect and fix problems. Compliance Baselines & Settings: We're gradually shifting to Intune-based compliance. I ported over our core GPO baselines and rebuilt them using Configuration Profiles, Settings Catalog, and Security Baselines. Compliance policies then reference these, so non-conformant machines are flagged. Still evolving this as we onboard more devices. Licensing Requirements: For anyone wondering, some of these capabilities require specific licensing. We're running "Microsoft 365 E3" + "Enterprise Mobility + Security E3", which gives us access to: Proactive Remediations Intune-based compliance management Scripted deployments and reporting Note, only 1 user in the tenant needs these two licences to enable the features. Summary This move to Autopilot wasn’t just a deployment change, it pushed us to rethink how we handle security, authentication, app installs, and policy enforcement. There’s still more to do, but we’ve built a solid foundation that’s scalable and more resilient than our old MDT-based approach. If you’re dealing with similar challenges or stuck on something like Wi-Fi, BitLocker or app installs, feel free to reach out. I’ve probably hit the same wall and am happy to compare notes or share scripts/settings if it helps. Cheers, Timothy Jeens
Managed google play connection fails at last step.
I am trying to complete Android enrollment. I start the Managed Google Play connection wizard.| It autopopulates with another email address from my company saying "your EMM suggests using email address removed for privacy reasons" I change the email and put a dedicated non-personal email. I login with the Microsoft credentials. I enter the company name and country. I accept Android enterprise as the only subscription. I agree to the Google Agreements. I accept Allow and create on the page for "Manage your Android Enterprise devices using Microsoft Intune". I get a screen which says You will be redirected to Microsoft Intune to complete the process for a while. Then I get a something went wrong screen.
Invalid profile
Hi all, I have tried to enrol a device to intune using configurator into apple school manager which works find then gets passed into intune however when I assign a profile (existing or new) it fails. When pressing the enrol button on the ipad it says "invaild profile" I cant go no further all I can do is release from org then try again but I have tried multpile times no luck any ideas?
How to centrally switch off Focus Assist / Do not disturb
Hello, Please advise if it’s possible to push out a policy or reg edit script that will completely switch off Focus Assist (Windows 10) or Do not Disturb (Windows 11) ? This is causing havoc with our 3CX SIP app – When this feature is on, it prevents 3CX pop-up appearing when an inbound call is routed to the user’s device. I have spent hours researching and testing various registry settings and intune policies, none of which I can get working for both Windows 10 and Windows 11 endpoints. do not disturb is enabled by default OOB. This setting appears to be controlled at user level (HKEY_CURRENT_USER). The only thing that works, is for the user to “Manually” switch off this feature, as per below. This isn’t convenient when you have hundreds of endpoints! Users will not do the steps if you email or message them. or Surely there must be a way to control this functionality via GPO? Examples of changes that do not work; Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings Intune
